All your VPN belong to us!

A critical global threat is unfolding as both cybercriminals and nation-state actors actively target digital infrastructure worldwide, employing tactics such as VPN and Credential Theft, posing severe risks to global cybersecurity.

The COVID-19 pandemic has exacerbated the situation, leading to a surge in cyber threats marked by an alarming number of vulnerabilities and CVEs. The widespread adoption of remote work and increased reliance on digital platforms has expanded the attack surface for cybercriminals.

Urgent calls for swift responses from government agencies like CISA and local CERTs underscore the severity of the situation, with some countries, such as the USA, issuing emergency directives for immediate actions. The past two weeks alone have witnessed a significant spike in known vulnerabilities, exploits, and targeted attacks.

Organisations globally now face an unprecedented wave of security challenges, from phishing scams to sophisticated malware attacks. This surge underscores the crucial need for enhanced security measures, urging everyone's full cooperation and attention. Organisational readiness, awareness, and adherence to digital security best practices are pivotal in fortifying defences against evolving cyber threats.

Measures for Organisations Using Affected VPN Solutions

Organisations relying on any VPN solution, whether it be Fortinet, Ivanti/Pulse Secure, Cisco ASA, Cisco AnyConnect, or Cisco Secure Connect, yet especially those facing vulnerabilities, should promptly undertake the following measures:

Immediate Actions

1. Disconnect all instances of such VPN solutions from networks.
2. Conduct ongoing threat hunting on systems connected to or recently associated with the impacted VPN solutions.
3. Monitor authentication and identity management services for potential exposure.
4. Isolate systems from enterprise resources to the maximum extent possible.
5. Continuously audit accounts with elevated privilege levels.

To Reinstate a VPN Solution (Post-Disconnection):

1. Export configuration settings.
2. Perform a factory reset as per the solution provider's instructions.
3. Rebuild the VPN devices following the providers' instructions and upgrade to the latest available patches through the official portals. For Ivanti/Pulse Secure: Follow the instructions provided by Ivanti for upgrading and patching. For Cisco ASA, Cisco AnyConnect, and Cisco Secure Connect: Apply the latest patches available on Cisco's official website. Fortinet has a special page detailing cleanup routines.
4. Rebuild (or reimport) the configuration. (only after "re-formatting" to remove any persistence)
5. If mitigations or specific configuration files were applied, consult the providers' knowledge bases for guidance on removing these mitigations after upgrading.
6. Revoke and reissue any connected or exposed certificates, keys, and passwords, including resetting the admin enable password, API keys, and passwords for local users defined on the VPN solutions.

Ongoing Security Measures

• Organisations must operate on the assumption that domain accounts associated with the VPN solutions may have been compromised.
• Reset passwords twice for on-premise accounts, revoke Kerberos tickets, and revoke tokens for cloud accounts in hybrid deployments.
• For cloud-joined/registered devices, disable devices in the cloud to revoke the device tokens.

These actions are crucial to fortify organizational cybersecurity, considering vulnerabilities in VPN solutions. Stay vigilant and prioritize the security of your network and computer infrastructure.

Recommendation to End-User

Key Points to Remember:

1. Phishing Awareness: Be cautious of unexpected emails, especially those requesting sensitive information or instructing urgent actions. Verify the legitimacy of emails and refrain from clicking on suspicious links.
2. Password Security: Ensure your passwords are robust, unique, and regularly updated. Apply multi-factor authentication (MFA) whenever possible.
3. Device Security: Keep your devices updated with the latest security patches. Avoid connecting to unsecured networks and use approved and maintained VPNs for remote work at work.
4. Reporting Suspicious Activity: If you encounter any unusual or suspicious digital activity, promptly report it to your IT department. Early detection is critical in mitigating potential threats.
5. Security Training: Participate actively in the security awareness training sessions to empower you with the knowledge and skills needed to navigate the digital landscape securely.

Actions to be taken:

1. VPN Assessment: Companies should assess and update their VPN hardware, appliances, and software to the latest versions and in federal cases report versions back.
2. Do not connect to the VPN yet: Unless you have received feedback from your IT department that the version is on the whitelist and your computer and software is up to date, don't connect to the VPN yet.
3. Update & Secure your Password: In general update your employee password now. Update your password via Office 365 (no VPN) or other secure means, or as soon as your employer has updated their software systems and rotated their keys and given the all clear.

In case of emergency

1. Immediate Isolation: Isolate affected systems immediately to prevent further damage and limit the impact of the attack. Unpopular advice: disconnect compromised devices from the network.

2. Contact Cybersecurity Professionals: Contact a reputable incident response team and cybersecurity professionals to help assess the extent of the breach, identify vulnerabilities, and guide you through the recovery process.

3. Communication and Notification: Prepare a communication plan to inform relevant stakeholders about the incident. Be transparent about the situation without disclosing sensitive details. Notify employees, customers, and any necessary authorities as required.

4. Preserve Digital Evidence: Preserve digital evidence for forensic analysis. This will be crucial for understanding the attack vectors, identifying the attackers, and strengthening our security measures.

5. Data Recovery: Collaborate with data recovery experts to restore and retrieve critical data. Ensure that recovered data undergoes thorough malware scanning before reintegrating it into the network.

6. Patch and Update Systems: Identify and patch vulnerabilities exploited during the attack. Ensure all software, operating systems, and security tools are up to date to prevent future vulnerabilities.

7. Password Changes: Initiate a mandatory password reset for all users. Implement strong password policies and consider introducing multi-factor authentication (MFA) for added security.

8. Review and Update Security Policies: Evaluate and update our organization's security policies and procedures. Reinforce security awareness training for employees to prevent similar incidents in the future.

9. Backup System: Confirm the availability of a secure backup of critical data for quick recovery. Verify the integrity of backup files and conduct regular tests of the restoration process. Applying a 3-2-1 system is highly recommended if you don’t have such yet.

10. Implement Security Enhancements: Enhance security measures based on insights gained during the incident. Implement intrusion detection systems, endpoint protection, and network monitoring to fortify your defences.

11. Incident Response Plan Review: Review and update your incident response plan based on lessons learned during the recovery process. This includes refining communication strategies, incident detection, and response procedures.

12. Legal and Regulatory Compliance: Ensure compliance with relevant legal and regulatory requirements. Report the incident to appropriate authorities and adhere to any notification obligations.

13. Continuous Monitoring: Implement continuous monitoring of network activities to swiftly detect any signs of malicious behaviour or unauthorized access.

14. Employee Training and Awareness: Provide ongoing cybersecurity training to employees to enhance their awareness of potential threats and the importance of adhering to security policies.

15. Engage with Cybersecurity Services: Consider engaging cybersecurity services for ongoing monitoring, threat intelligence, and vulnerability assessments to prevent future incidents.

Understanding the activities and motivations of nation-state-sponsored actors is crucial for organisations to fortify their cybersecurity defences. Vigilance, robust security measures, and international cooperation are essential to mitigate the impact of cyber threats originating from these entities.

#VPN #Cybersecurity #Vulnerabilities